RE: [openssl.org #2594] Problem with X509 path loop detection - PATCH

Mon, 12 Sep 2011 01:32:19 -0700 

Roumen



Thank you for looking at the patch and reporting the problem with it. I 
apologise that I did not test it properly. The path loop test in the patch 
should of course be first whether the issuer is in the chain and only if it is 
then whether it is lower than the cert x i.e.



+               if (issuer_num && (issuer_num < x_num))



Please find a corrected version below



Best Regards

Nick



-------------







diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c

index 64df4d3..7bbe43b 100755

--- a/crypto/x509/x509_vfy.c

+++ b/crypto/x509/x509_vfy.c

@@ -443,15 +443,18 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, 
X509 *issuer)

                {

                int i;

                X509 *ch;

+               int issuer_num = 0;

+               int x_num = 0;

                for (i = 0; i < sk_X509_num(ctx->chain); i++)

                     {

                     ch = sk_X509_value(ctx->chain, i);

                     if (ch == issuer || !X509_cmp(ch, issuer))

-                          {

-                          ret = X509_V_ERR_PATH_LOOP;

-                          break;

-                          }

+                          issuer_num = issuer_num ? issuer_num : i+1;

+                    if (ch == x || !X509_cmp(ch, x))

+                          x_num = i+1;

                     }

+               if (issuer_num && (issuer_num < x_num))

+                    ret = X509_V_ERR_PATH_LOOP;

                }



The details of this company are as follows:

G4S Technology Limited, Registered Office: Challenge House, International 
Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338.



This communication may contain information which is confidential, personal 
and/or privileged.



It is for the exclusive use of the intended recipient(s).

If you are not the intended recipient(s), please note that any distribution, 
forwarding, copying or use of this communication or the information in it is 
strictly prohibited.



Any personal views expressed in this e-mail are those of the individual sender 
and the company does not endorse or accept responsibility for them.



Prior to taking any action based upon this e-mail message, you should seek 
appropriate confirmation of its authenticity.



This e-mail has been scanned for all viruses by MessageLabs.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to